Autodiscover exposed

for Exchange & O365

Autodiscover is a fundamental technology in Exchange and Office 365. When Outlook first starts the ‘out of the box experience’ is that it will first of all figure out if it can find an email address for you on the account you’re logged in with and then takes you through a wizard driven interface to ultimately run an autodiscover sequence.

The autodiscover steps

Autodiscover tries various methods to attempt to reach a web service that will give it the settings needed to connect to your mailbox. The steps are as follows (in order)

1. Active Directory Service Connection Point (SCP)

Outlook looks in the Active Directory that you are connected to using LDAP://RootDSE and then getting the configurationNamingContext partition. It then runs an LDAP query on the configuration partition with the following filter

It takes the results of this query and first of all splits them into SCP records that have a keywords entry starting with ‘domain=’ and those that don’t have any ‘domain=’ keywords entries. If it finds an SCP where the domain= entry has your email domain after the equal sign then it uses the serviceBindingInformation attribute to either look in another LDAP (if the GUID in keywords was 67661d7F-8FC4-4fa7-BFAC-E1D7794C1F68) or post to a web service.

If there is no SCP with a domain= matching your email domain, then it checks to see if there are any SCPs without any domain= entries in keywords. If there are then it will sort these into three ‘buckets’

site= entry in keywords matches your Active Directory site

no site= entry in keywords

site= entry found in keywords but they do not match your Active Directory site

It will then start with bucket 1 followed by 2 and finally 3 and tries each serviceBindingInformation link in turn looking for a valid response.

Now if you’re not connected to Active Directory then this step is skipped altogether. This can be switched off with the ExcludeScpLookup registry entry.

2. Email domain via https

Using your email address autodiscover checks your email domain (the bit after the @ sign) and sends a post to https://emaildomain/autodiscover/autodiscover.xml This generally doesn’t yield a good result, in fact I don’t know why Microsoft chose to put this option 2nd and not 3rd… Anyway, generally this will either fail because there is no DNS entry for emaildomain or it hits your corporate web site, which is unlikely to have an autodiscover.xml file in the autodiscover directory. This can be switched off with the ExcludeHttpsRootDomain registry entry.

3. Autodiscover email domain via https

Using your email address autodiscover checks your email domain with a preceding autodiscover, and it sends a post to https://autodiscover.emaildomain/autodiscover/autodiscover.xml. For an on-premises Exchange environment this often does yield a successful result. This can be switched off with the ExcludeHttpsAutodiscoverDomain registry entry.

4. Local XML file

A local XML file can be placed in %LOCALAPPDATA%\Microsoft\Outlook and called autodiscover.xml. This xml file will then be read by Outlook and used to obtain settings for the user. This can be made the first method using the registry entry PreferLocalXML and adding a registry entry for the user’s email address of email domain and specifying the full path to the local XML file.

5. Email domain via http

Using your email address autodiscover checks your email domain (the bit after the @ sign) and sends a get to http://autodiscover.emaildomain/autodiscover/autodiscover.xml and it is looking for an HTTP redirect, i.e. a 301 or 302 status code telling it what URL to try next. This can be switched off with the ExcludeHttpRedirect registry entry.

6. DNS SRV record

Finally autodiscover will look up an SRV record in DNS based on your emaildomain. It will look for _autodiscover._tcp.emaildomain and the host and port settings on that SRV record will tell it which URL and port to try to connect to. This can be switched off with the ExcludeSrvRecord registry entry.

7. Cached URL in Outlook Profile

In Outlook 2010 Microsoft started to cache the last known good autodiscover URL in the profile so that they could refer back to that if needed in future. This can be switched off with the ExcludeLastKnownGoodUrl registry entry.

8. Direct Connect for Office 365

This is a new method in Outlook 2016 which assumes that the email domain is on Office 365 and so tries three requests to confirm if this is an Office 365 hosted domain. This can be switched off with the ExcludeExplicitO365Endpoint registry entry.

Autodiscover Scenarios

Autodiscover for Exchange On-Premises in the User Forest

In a pure Exchange on-premises environment where Exchange is in the same forest as your user accounts then the ‘SCP method’ is most likely to give you a success (as long as Exchange is configured correctly) When you are at home then if your company has published Exchange to the Internet then the ‘autodiscover email domain via https’ method is likely to give you the right answer.

Autodiscover for Exchange On-Premises in a resource forest

In an Exchange resource forest scenario either the SCP method is successful (if your Exchange admin has used PowerShell to export the SCP settings from the resource forest and put that into the user account forest. It would have created a single SCP in the user account forest with a serviceBindingInformation of LDAP://exchange-forest-fqdn. Causing autodiscover to query the Exchange forest for SCP records and generally succeeding there. (NOTE that since autodiscover will look for AD Sites it is important to be aware of site names in both the user and Exchange forests)

If your admin has NOT exported the SCPs then the next most likely option to succeed is again the ‘autodiscover email domain via https’ method.

Autodiscover for Office 365

In Office 365 we’re asked by Microsoft to create an autodiscover.emaildomain CNAME in DNS and point it at autodiscover.outlook.com. This is so that the ‘Email domain via http method’ can get a redirect from autodiscover.outlook.com which will be autodiscover-s.outlook.com and sometimes it will then get another redirect to podXXXX.outlook.com before finally getting the settings it needs.

Autodiscover for Office 365 in Hybrid

In a hybrid configuration autodiscover will first find the on-premises Exchange server as if Office 365 wasn’t there, however if the user making the autodiscover request is looking for a mailbox in Office 365 then the on-premises user object will have a targetAddress entry with @O365domain.mail.onmicrosoft.com (where O365domain is the tenant short name). The fact that the object has a targetAddress causes autodiscover to switch to use that targetAddress email domain and runs through the above options. Now that the targetAddress points to Office 365 it uses the Email domain via http method to get redirected and ultimately finds its settings

Try the local xml file, but fails with 0x8004010F, meaning file not found

Do the redirect check to the email domain, gets autodiscover-s.outlook.com back (some software shows this as a failure code 0x800c8204) and tries that. First gets a 401 again in order to authenticate and then a 200 http status code and it succeeds with error code 0x00000000

Analysing Autodiscover

Using tools like Process Monitor from Microsoft/Sysinternals and Fiddler from Telerik we can see deeper into autodiscover. I’ve tested using the mail applet from control panel but you can use any tool that runs autodiscover and then trace them with Process Explorer and Fiddler. If you want to see inside the HTTPS stream then in Fiddler you’ll need to enable decryption and accept the prompts about trusting a self signed root certificate. This makes Fiddler your proxy server and it will pretend it is the website you’re after by creating a valid certificate on the fly and then establish a connection to the real web server on your behalf. This allows it to see inside of the encrypted HTTPS stream. Anyway I digress.

Looking at Process Monitor and filtering to only RegQueryKey commands we can see that a number of registry key entries are checked.

The majority of these have been mentioned above already but here is a summary of the ones that are in HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Autodiscover (where the version number is the version of Office you’re using).

Key

Description

ZeroConfigExchange

Prevent the Wizard UI from displaying, but runs as if you click next to each screen

DisableAutoStartup

Prevent the Wizard from running altogether

ExampleName

Set the Name field in the Wizard

ExampleAddress

Set the Email Address field in the Wizard

AllowAutoDiscoverToAutoLogonToInternetDuringAccountCreation

Allow Outlook to send the logged on user’s NTLM credentials over the Internet to set up an in-place Exchange account for the logged on user

Timeout

Number of seconds to wait for each step to timeout

PreferLocalXML

Use the local XML file if it exists in preference to any other method

ExcludeSCPLookup

Prevent method 1 from running

ExcludeHttpsRootDomain

Prevent method 2 from running

ExcludeHttpsAutodiscoverDomain

Prevent method 3 from running

ExcludeHttpRedirect

Prevent method 5 from running

ExcludeSrvRecord

Prevent method 6 from running

ExcludeLastKnownGoodUrl

Prevent method 7 from running

ExcludeExplicitO365Endpoint

Prevent method 8 from running

AttemptPreAuth

Use Pre Authentication for each web request (i.e. assume that the server requires authentication instead of waiting for the 401 HTTP response)

ShowCertErrors

Show an certificate errors like non-trusted, invalid time period, etc.

MaxRetriesOnTimeout

Maximum number of times to retry when a timeout is encountered

<email address>

Path to the local XML file for this user

<email domain>

Path to the local XML file for this domain

There is also a subkey called RedirectServers which can be populated with one value per autodiscover host for which you do NOT want to be alerted about a redirect happening. By default Outlook will prompt the user to ensure they trust the redirection.

Now using Fiddler we can see the autodiscover steps in action, let’s look at three examples in more details

Autodiscover for Office 365

Here we can see autodiscover use the following methods

Method 1 is not applicable since I’m not in Active Directory

Method 2 (Email Domain) is sessions 7 to 9

Method 3 (Autodiscover Domain) is sessions 10 to 12

Method 4 is not shown, I also don’t have a local XML file

Method 5 (Redirect) is session 13-19 where it gets a 302 redirect, then tries autodiscover-s.outlook.com and finally gets an HTTP 200 status

Session 20 is the connection establishing to Office 365 itself

Autodiscover for Office 365 in Hybrid

Here we can see autodiscover use the following methods

Method 1 (SCP record) is sessions 3 to 7 where it gets an HTTP 200 status, and since this account is on Office 365 it is returned the targetAddress

Method 1 (SCP record) for the targetAddress is sessions 8 to 10 where it gets an HTTP 200 status, but we know it will again get a targetAddress and so fails this step

Method 2 (Root Domain) for the targetAddress is session 11 where it gets a 502 error when trying to set up the tunnel, i.e. unable to connect

Method 3 (Autodiscover Domain) for the targetAddress is session 12 where it gets a 502 error when trying to set up the tunnel, i.e. unable to connect

Method 4 is not shown, I also don’t have a local XML file

Method 5 (HTTP redirect) for the targetAddress is sessions 13 to 16 where it gets an HTTP 302 status, and then connects to autodiscover-s.outlook.com, gets a 401 status first for authentication followed by 200

Sessions 17 onwards are then connecting to Office 365 itself

Autodiscover for an invalid email address

Here we can see autodiscover use the following methods

Method 1 is not shown since we’re not in Active Directory

Method 2 (Root Domain) is sessions 64 to 65 and get an HTTP 502 status, i.e. unable to connect

Method 3 (Autodiscover Domain) is sessions 66 to 67 and get an HTTP 502 status, i.e. unable to connect

Method 4 is not shown as there is no local XML file

Method 5 (HTTP Redirect) is sessions 68 to 69 and get an HTTP 502 status, i.e. unable to connect

Method 8 (Direct Access) is sessions 70 onwards, and the final HTTP 400 status tells us it was not successful

In summary, autodiscover is a complex piece of software and what is worse is that not every client uses the same set of methods, for example Lync/Skype for Business don’t use SCP or the local XML options. So this is still a bit of a black art but hopefully the above gives you some insight into how autodiscover works

Twan is a senior consultant with over 20 years of experience. He has a wide range of skills including Messaging, Active Directory, SQL, Networking and Firewalls. Twan loves to write scripts and get deep and dirty into debugging code, in order to understand and resolve the most complex of problems.

One thing has been bugging me ever since HTTP redirect: if I install a multi-tenant environment with the hosting domain being hosting.tld, and tenant domains tetant1.tld, tenant2.tld, … tenantn.tld, Outlook displays a certificate warning when the redirection occurs from autodiscover.tenant.tld to redirect.hosting.tld, regardless of the fact that the host domain is secured correctly. However I do NOT get a warning when the redirection occurs to O365.

Do you know of any documentation which explains how HTTP redirect to O365 is different from my muti-tenant HTTP redirect and why redirecting to O365 doesn’t generate a cert warning?

Thanks for reading and liking the blog! The key with redirects and avoiding prompts is the registry key ‘RedirectServers’

In my OOTB Office 2016 installation I have one entry for autodiscover-s.outlook.com under HKCU\Software\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers. Of course Microsoft has the ability to deploy that via updates to every machine in the world, whereas we can only ask users/organizations to add this manually.

Nero Blanco IT Limited is a company initially formed by highly skilled and experienced independent contractors who saw a problem with how large technology migration and consolidation programs were undertaken.